I am using the following wmi query to gather free disk space info on a Windows 2008 R2 server. The problem I have is that the query seems to be sending information not only of the local disk on the server but also of the CD-ROM drive installed on the server.
interval = 600
wql = select Name, FreeSpace from Win32_LogicalDisk
index = default
disabled = 0
Here's the data the universal forwarder on the server is sending to Splunk, which I think is the data for the CD-ROM drive. Notice the NULL value for the FreeSpace parameter?
host=paul Options| sourcetype=WMI:FreeDiskSpace Options| source=WMI:FreeDiskSpace Options
How do I get the universal forwarder send the free space information data only for the actual disk drives and not the cd-rom drive?
Thanks a lot in advance.
You could always add a where to the end of your query, something like;
Where Name = 'C:' OR where Name = 'E:' etc, you may need to use C:\ depending on your system
Thanks for your prompt reply Drainy. It's working for me now :-).
But then, what if I have two logical drives?
will "Where Name = 'C:' and 'the next logical drive:'" work?
Sorry, it wasn't very clear, the whole statement from where to 'E:' is to allow for two Names. The OR is part of the query 🙂